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Introduction to Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 
FP2+/7.4.2 GA* 


Use the Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+ to ingest your Qualys VM 
detections into QRadar and visualize them on a single page. All you need to do is install the app, 
configure the app and schedule the sync. The Qualys VM will continuously pull your detection 
delta, so you always see updated reports. Want to visualize historical data? Just use date-time 
pickers given in the Qualys VM and see useful reports. 


Features 
- Support for multi-tenant environment 


- Updates for Summary Tab Widget and Reports / Search Tab 


-  QRadar authentication token workflow to upgrade existing version of Qualys VM for 
QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+ and for fresh installations 


- Advanced tab that shows the success and failure messages for the etls running with 
process IDs. User can download etl logs from Advanced tab 


Prerequisites 


Make sure you have: 
- A valid Qualys subscription 
- API access to Qualys VM module 
- Knowledgebase API access, if you want to enable Knowledgebase input 
- Internet access and your Qualys API server must be reachable from QRadar 


Note: This app is compatible with these versions only- QRadar 7.3.3 FP6, 7.4.1 FP2, 7.4.2GA+/7.4.2 
GA+ 


Note: If you are upgrading from Qualys app for QRadar 1.2.0 or earlier version to Qualys VM for 


QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+ Version 2.x.x, ensure to Save the Qualys App 
Settings again even if you saved them in the earlier version. 


Install the App 


1) Login to QRadar and go to the Admin tab. 

2) Click Extensions Management. 

3) Click the Add button and upload the extensions .zip file. Don’t have it? Click here to 
download Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA«. 

4) Confirm whether you want to replace/skip any existing contents with those coming from 
the extension and click Install. 


Note: 
Installation of our app can be done considering these 2 scenarios if the user want to use 
the app in multitenant environment- 

e If you're installing Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+ 
by checking “Start default instance for each App” checkbox, it will create shared 
instance for all the security profiles. In this case, to avoid the case of multiple 
appearance of our app non-admin profiles you need to delete the shared instance 
from QRadar Assistant app and manually create separate instances for the 
desired security profile. For more information, refer Creating an instance. 
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e If you're installing Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA* 
by unchecking “Start default instance for each App” checkbox it will install the 
app without creating any instances for it. In this case, you need to create 
instances for desired security profile. For more information, refer Creating an 
instance. 

5) Once installation is completed, refresh your QRadar user interface. 
6) You should see the tab Qualys VM in the top menu. 
7) Deploy changes once app installation is completed. 


Validating Dependencies 


Please go through each of the sections listed below. You need to carry out the following steps 
manually, right after you install the app and before you start using it. Some sections may not be 
applicable in your case, and you may need to skip them. 


Log Source Event Mapping 


1) Goto Admin > DSM Editor. 
2) In Select Log Source Type, search for “Qualys LEEF” and click Select. 


| Select Log Source Type | 


Choose an existing Log Source Type to modify, or create a new Log Source Type 


Qualys LEEF n 
Create New Cancel 


3) From the Qualys LEEF screen, go to Event Mappings tab. The requirement is that there 
should be mapping for QualysMultiline and if you don't see mapping for QualysMultiline, 
create new (refer below steps). 
4) Click & icon to add a new mapping. The "Create a new Event Mapping" pop-up opens. Set 
Event ID as “QualysMultiline” (without quotes) and Category as “QualysMultiline” 
(without quotes). 
5) Click the Choose Event link. In the "Event Categorizations" pop-up that opens, click the 
Create New button. Set the values as follows: 

- Name: QualysMultiline Information 

- Description: QualysMultiline Information 

- Log Source Type: Qualys LEEF 

- High Level Category: System 

- Low Level Category: Information 

- Severity: 2 
6) Click Save. This will take you back to “Event Categorizations". 
7) Click and select the newly created entry, which is shown in the "Search Results" table. 
8) Click Ok. This takes you back to "Create a new Event Mapping”. 
9) 
10 


Click Create. This takes you back to "Qualys LEEF" pop-up - Event Mappings tab. 
) Confirm that you now have 3 entries, including Event ID “QualysMultiline” - Category 
"QualysMultiline". 
11) Finally, click Save and close the window. 
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Enable 


2) In 
3) In 
4) In 
5) N 


Last Scan Datetime Parsing 


1) Goto Admin > DSM Editor. 


Select Log Source Type, search and select “Qualys LEEF”. 
the pop-up that opens, go to Properties. In the list of properties, search and open “Last 


Scan Datetime’”. 


the Property Configuration > Expression section, click Edit. 
otice the Enabled field. This field may be in disabled state (grayed out). If disabled, 


select the Enabled field. It changes color. 
6) Click OK in the Expression section. 


7) Click Save and close the window. 


Log Source 


When you install app, it will create a new Log Source named "QualysMultiline". Please check if it 
is created. You can also create the custom log source for the Qualys app with following steps. 


Keep the 


configuration of custom log source same as that mentioned below. 


1) Qualys VM will send the data to QRadar console only. The user will not be able to use the 


app for distributed setup. 


2) On your console UI, go to Admin > Data Sources > Log Sources and click the Add button. 
3) Add the details shown below to the form to Create QualysMultiline Log Source. All fields 
marked with an asterisk (*) are mandatory. Make sure your Log Source Name and Log 


Source Identifier have same value. 

Property Value 

Log Source Name QualysMultiline (Customizable) j 

Log Source Description QualysMultiline 

Log Source Type Qualys LEEF ii 

Protocol Configuration TCP Multiline Syslog i 

Log Source Identifier QualysMultiline (Customizable, but x 
same as Log Source Name) 

Listen Port 12468 (Customizable) 

Aggregation Method Start/End Matching * 

Event Start Pattern [A-Z][a-z][a- E 
z]\s\d\d\s\d\d:\d\d:\d\d\s 

Event End Pattern qualys_event_ends * 

Event Formatter No Formatting x 

Show Advance Option Yes T 

Use Custom Source Name Unchecked i 

Use As A Gateway Log Source Checked £ 

Flatten Multiline Events Into Single Line Checked Ü 

Retain Entire Lines During Event Checked x 

Aggregation 

Enabled Checked A 

Credibility 5 

Target Event Collector «default/your choice» 

Coalescing Events Unchecked P 

Store Event Payload Checked Š 

Log Source Extension QualysLEEFCustom_ext is 
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4) Click Save. 


If you need to create this new Log Source manually, you must do a full deployment. For that, 
please go to Admin > Advance and click Deploy Full Configuration. 


Custom Event Properties 


1) Goto Admin > Log Sources and confirm that QualysMultiline Log Source is Enabled. If it 
is disabled, please enable it. 

2) Goto Admin > Custom Event Properties and confirm that all 25 Qualys related 
properties are Enabled and are linked to “Qualys LEEF” log source type. 


Qualys related properties are: 


- App Version 

- PCI Flag 

- Qualys QID 

- Severity Level 

- QID Category 

- CVE 

- Last Fixed Datetime 
- Operating System 

- Qualys Host ID 

- Tracking Method 

- First Found Datetime 
- Qualys Severity 

- Last Scan Datetime 

- AppID 

- Last Test Datetime 

- Detection Type 

-  Patchable 

- Last Update Datetime 
- Network ID 

- Last Found Datetime 
- QIDTitle 

- Host IP 

- Status 

- DNS 

- Tags 


For the Qualys related properties, complete these checks: 


1) Ifany property is disabled, enable it. 

2) If any property does not belong to the Qualys LEEF log source type, please open it to edit 
and select Qualys LEEF as the log source type. 

3) If any property does not belong to QualysMultiline log source, open it to edit and select 
QualysMultiline as log source. 

4) Please check if all Custom Event Properties have Event Name as QualysMultiline 
nformation. If not, select Event Name as QualysMultiline Information. 

Finally, save the properties. 


UI 


If you do not see the properties, please refer to the Troubleshooting section in this document to 
learn how to delete and recreate Log Source Type “Qualys LEEF”. 


For any change in Custom Event Properties, it is recommended to do Deploy Full Configuration. 
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Configure the App 


For Single User Instance - If you want to use Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 
FP2+/7.4.2 GA+ as single user instance, you just need to configure the steps mentioned in Qualys 
API Configurations. 


Multi-tenant Environment - If you want to use Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 
FP2+/7.4.2 GA+ in multi-tenant environment, you need to configure the steps mentioned in 
Multi-tenant Environment section and then the steps mentioned in Qualys API Configurations. 


Qualys API Configurations 


Complete the following steps once you configure the app. 


1) Login to QRadar and go to the Admin tab. 
2) Scroll to “Apps” section and click Qualys VM App Settings. A pop-up window opens. 


Credentials 


QRadar Authorization token is used while interacting securely with QRadar. You can obtain this 
token from Admin > User Management > Authorized Service. 


For multi-tenant environment, make sure that you create an authentication token with user role 
permission specific to the security profile's user and select security profile same as that of the 
instance is created and configured. For more information, refer Adding an authorized service. 


For example, here we've created instance for Security Profile A and users that will be using this 
instance has user role as User Role A. Hence, while creating authentication token for the created 
instance, follow the steps: 


Go to Authorized Services in Admin tab 

Click Add Authorized Service. 

Enter the desired Service Name. 

Select User Role as User Role A. 

Select Security Profile as Security Profile A. 

Set the expiry date as required. 

Click Create Service and then click Deploy changes. 


Qa .—5.(0D CL. ov 


Credentials Host Detection Knowledgebase Advanced 


To get started, an authorization token of respective user role and security profile is required. Please contact your system administrator to generate an authorization service token. S: 
Note: Deploy changes once the token is created. 


QRadar Authorization Token 


Log Source Name Select v 
Qualys API Server URL https://qualysapi.qualys.com 

Qualys API Username Enter Qualys account user name 

Qualys API Password Enter Qualys account password 


O Use a proxy server for API calls 
Proxy Server 10.10.10.2:8080 


Save 
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Use the Credentials tab to configure your Qualys credentials. Enter your Qualys API server, 
username and password in the appropriate fields. 


Host Detection Knowledgebase Advanced 


QRadar Authorization Token PPE EEEE 


Log Source Name QualysMultiline 


Qualys API Server URL 


https://qualysapi.qg2.apps.qualys.eu 


Qualys API Username quayslin1 


Qualys API Password seseucuebbocabbecse 


Use a proxy server for API calls 
Proxy Server https:// 


Proxy Configuration 

If you want Qualys app to use proxy while calling the API, configure proxy details. 
Select the check box to enable proxy. 

Add your proxy server and proxy port in «proxy server>:<proxy port» format. 


If your proxy needs authentication, add proxy user and proxy password along with server and 
port, in <proxy user>:<proxy password>@<proxy server>:<proxy port» format. 
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Host Detection 


Use the Host Detection tab to configure and enable Host Detection input. 


Credentials Knowledgebase Advanced 


Enable Host Detection fetch 


Host Detection Cron Schedule Ma ts 


Start Date-Time 2000-01-01T00:00:00Z 


Extra API Parameters "show igs": 1} 


Add Tags to Events 


You must enable this input in order to use this extension. To enable this input, select the 
checkbox in front of Enable Host Detection fetch. 


In the Host Detection Cron Schedule field, write a valid cron entry (time part only). Your input 
will run according to this schedule. This is a mandatory field. It's advised that you keep the cron 
schedule in sync with your scanning schedule. For example, if you run scans once a day, 
schedule this input to run once a day. Learn about cron expressions... 


(Optional) In the "Start Date-Time" field, enter the date from which you wish to fetch the VM 
detection data. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT), 
like *2007-01-25T23:12:00Z". This field is optional and may be left blank. When left blank, it 
defaults to 1999-01-01T00:00:00Z. 


(Optional) If you want to provide any extra parameters for the Host Detection API, set them in 
the Extra API Parameters field, in valid JSON format. Please refer to the Qualys API (VM, PC) User 
Guide for a list of API input parameters. This field is optional and may be left blank. 


(Optional) If you want to get Tags in VM detection data, select the "Add Tags to Events" option. 


Knowledgebase 
Use Knowledgebase tab to configure and enable Knowledgebase input. 


A copy of Qualys knowledgebase is bundled with this extension. To keep it up to date, please 
enable this input. It is advised that you update your knowledgebase copy at least once a week. 


To enable this input, select the checkbox in front of Enable Knowledgebase fetch. 


In the Knowledgebase Cron Schedule field, write a valid cron entry (time part only). Your input 
will run according to this schedule. This is a mandatory field. You might not want to run this 
every day. Once a week is also OK. Learn about cron expressions... 


(Optional) If you want to provide any extra parameters for the Knowledgebase API, set them in 
the Extra API Parameters field, in valid JSON format. Please refer to the Qualys API (VM, PC) User 
Guide for a list of API input parameters. This field is optional and may be left blank. 
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You can specify KB table batch size to define the number of records to be pulled for faster 
loading. 


Credentials Host Detection Knowledgebase Advanced 


Enable Knowledgebase fetch 


Knowledgebase Cron Schedule 


Extra API Parameters f'is patchable": 1} 


KB table batch size 1000 


Advanced 


Use Advanced tab to see the last success and last failure for host detection and knowledgebase. 


Credentials Host Detection Knowledgebase | Avances | 


Host Detection IO oe! Knowledgebase ° queis 
i "4 # WX ————— = 
Last Success Last Success 
| 19 minutes ago 46 minutes ago 
3688 host detection(s) logged Added 1693 new QID(s) and updated 1022 OID(s) 
Last Fallure | Last Failure 
2 minutes ago 2 minutes ago 
Response Code:401, Got unexpected response from API: ACCESS DENIED Error during request to 


https-//qualysapl.qualys.com/api/2.0/fo/knowledge base/vuln/: API request 
failed: <?xml version="1.0" encoding="UTF-8" ?» 


Download Application Logs 
This includes the app.log, startup.log & background job's log files. EJ 


Application ID: 1104 


Advanced Configurations 


These are the advanced and optional configurations which provides you additional benefits 
while using Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+! 
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Index Management 


From the QRadar Console, you can use the Index Management tool to control database indexing 
on event and flow properties. By adding an indexed field in your search query, it helps to 
improve the speed of searches in QRadar by narrowing the overall data. Learn how to modify 
database indexing in the Index Management tool by making use of statistics before and after you 
enable or disable indexing on multiple properties. 


Steps to enable indexing for the specific custom event properties: 


1) On the navigation menu, click Admin and then click Index Management in the System 
Configuration section. 


2) Search, select and click Enable Index for the below mentioned properties: 


e Qualys Host Id (custom) 
e Qualys Severity (custom) 
e Qualys QID (custom) 

e Status (custom) 

e Last Scan Date (custom) 
e Detection Type (custom) 


Once you click Enable Index, Indexed column shows @ (green bubble) for the indexed property. 


Qenadie index @ Disable index o 
Display: Last30Days w | View: All w | Database: Al — w Show: All v 


Index management allows you to control database indexing, which can optimize search performance for frequently used criteria. The system supports multiple indexed properties. Properties that can be indexed in the system are listed below. 


WARNING: Enabling indexing on too many properties, can have a negative impact on system performance. It is important that you return to this page after adjusting indexing to monitor the health of the indexes. 


$ Inde: % of Searches Using Property % of Searches Hitting Index — % of Searches Missing Index — Data Written Database 


„Qualys Host Id (custom) 2.04% 0% 98.8% OKB events 
| 


J Disable Index 


@énavicindex € visable Index = [Qualys Host id (cus 


Display: Last 30 Days w | View: All w | Database; Al v Show: Al v 


Index management allows you to control database indexing, which can optimize search performance for frequently used criteria. The system supports multiple indexed properties. Properties that can be indexed in the system are listed below. 


2------2.-----L- 


WARNING: Enabling indexing on too many properties, can have a negative impact on system performance. It is important that you return to this page after adjusting indexing to monitor the health of the indexes. 


% of Searches Using Property * of Searches Hitting Index — % of Searches Missing Index — Data Written Database 


Qualys Host Id (custom) 2.04% 0% 98.8% OKB events 


3) Click Save. 


For more information, refer Index management. 
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Multi-tenant Environment 


Multitenant environments allow Managed Security Service Providers (MSSPs) and multi- 
divisional organizations to provide security services to multiple client organizations from a 
single and shared IBM QRadar deployment. You don't have to deploy a unique QRadar instance 
for each customer. 


In a multitenant deployment, you ensure that customers see only their data by creating domains 
that are based on their QRadar input sources. Then, use security profiles and user roles to 
manage privileges for large groups of users within the domain. Security profiles and user roles 
ensure that users have access to only the authorized information. 


Achieving Multi-tenancy and Segregating Data into Different Log Sources 


Prerequisites for Setup: 
e QRadar Version should be 7.4.1 Fix Pack 2, 7.4.2 GA+/7.4.2 GA+ or later. 
e  ORadar Assistant App must be installed with Version 3.0.0 or later 
e Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+ should be installed 
e QRadar Log Source Management app should be installed 


Prerequisites for Configurations: 
e Creating and Configuring Log Sources - Event ID, Event Category and Event Mappings 
e Creating Tenant 
e Creating and assigning a domain to the tenant 
e Creating a Security profile and associating Domains and Log sources to it 
e Creating a user role for Tenant users 
e Create the tenant users with desired User role and Security profile 
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Creating and Configuring Log Source 


User can create custom log sources of "Qualys LEEF" log source type to segregate the data. For 
more information, see Log Sources. 


1. After creating Log Sources, go to DSM Editor and search for "Qualys LEEF" log source 
type. 


Add Event ID and Event Category in Properties tab specific to the log source for which 
data is to be pulled. In DSM Editor in Qualys LEEF log source ‘Properties’ tab user will 
need to create a new Event Id and Event Category like 'QualysMultiline' as per the Log 
source created, add format string for both Event Id and Event Category then save it. 


Qualys LEEF Qualys LEEF 


Properties Event Mappings ^ Configuration ' SSS [| oem 


event 


Event Category Event ID 
Text | Override Text | Override 


Property Configuration 
Override system behavior 


Expressions (7) K 


Expression Type Regex Expression Type Regex 
Expression @ (QualysMultiline) Expression O (QualysMultiline) 
Format String O $1 Format String @ $1 


V| Use Predictive Parsing ® V| Use Predictive Parsing @ 


Edit 


Expression Type Regex Expression Type Regex 
Expression O (QualysSydney) Expression O (QualysSydney) 
Format String O $1 Format String @ $1 


A _ Use Predictive Parsing @ V Use Predictive Parsing @ 


Note: If the user is upgrading from the Qualys app for QRadar 1.2.0, where Event ID and Event 
Category was configured for the required log source, user will need to repeat the Step-2 again 


after upgrade since the Qualys LEEF Log Source Type properties are replaced with new app on 
upgrading. 
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3. Create the event mapper in the "Event Mappings" tab specific for the created log source- 


e User will need to create event mapper in "Event Mappings" tab and choose the 
already existing QID Le. QualysMultiline'. 

e Enter the same values in "Event ID" and "Event Category" field as per the log source 
name and then click Choose QID and search for "QualysMultiline Information". 


Note: This way the user created event mapper will inherit the configurations of the 
"QualysMultiline" event mapper that comes bundled with app installation. 


Workspace 


Qualys LEEF 


Event Mappings Configuration E QID Records 
Search for an existing QID record to assign, or create a new one. 


QualysBarcelona High Level Category Any 


Low Level Category Any 


Log Source Type Any < 
QID/Name QualysMuttiline 


Search 


High Level Category Low Level Category 


System Information 


Total: 1 Selected: 1 10 | 25| 50+ 


: ae Create New GID Record ENCEN o 


Export 


Now, user will be able to pull the data into the desired Log Source by following the above steps 
and saving the same log source in the Qualys VM App settings. 


Managing Multi-tenant Apps 


Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+ can now be used in multi-tenant 
environment for QRadar V 7.4.1 Fix Pack 2, 7.4.2 GA+ or later. 

When a user installs the app, they are presented with the option to create a default instance. 
Users can select this option if they only want a single instance of the app, or the app does not 
need to support multi-tenancy. If a user does not select the Default Instance option, they must 
create a separate instance and associate each instance with a security profile to keep all your 
data separate. 


Creating an Instance 


1. Click the QRadar Assistant app icon (N), and then click Applications. 

2. Ensure you're in the List View (Manage > List View option) in Application Manager. 

3. In the Installed Extensions section, click the ellipsis icon ( ** ) in the Options column of 
the extension and then click Create New Instance. 
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IBM QRadar L3 fe Q 


Dashboard Offenses Log Activity Network Activity Assets Reports Risks Vulnerabilities Admin Use Case Manager Qualys VM System Time: 5:02 AM 


IBM QRadar Assistant 


Home | Applications E: 9 


Search " oo 
Installed Extensions o0 < 
Filter By 
I Name Stat Version Number of Total Installe Install ODdons 
D m us H Instances Memory d By Date puen 
Status 
1.. Qualys VM for QRadar... Ru... 1.0.0 3 600 MB admin Apr 20, ... 
Failed to Install 
Error / Stopped 1.. QRadar Assistant App Ru... 3.3.0 1 600 MB admin » 


W Stop All Instances 
4.. QRadar Use Case Man... Ru... 23a 1 500 MB configs. 
© Delete All Instances 


2.. QRadar Pulse - QRada... Ru... 2.2.5 1 550 MB configs; 
Memory Allowance + Create New Instance 
| 


73.4% used - 2.3 GB / 3.1 GB 1.. QRadar Log Source M... Ru... 6.0.0 1 100 MB configs. 


p 


Running 


4. Select the security profile for which the app instance is to be created and click Next. 


IBM QRadar 


Offenses Log Activity Network Activity Assets Reports Risks Vulnerabilities Admin Pulse Use Case Manager Qualys VM 


Create New Instance First, let's choose a security profile 


When creating a new instance of an Extension, it must be bound to a security profile. Please 
@ Select Security Profile select a security profile from the table below before continuing. Only one security profile can be 
selected. 


O Select User Role If this instance requires an authorized service token, that authorized service must be assigned 
the same security profile selected here. 


© Summary & Finish 


Q, Search 


DataV 


Select user role shown for the selected security profile and click Next. 

Review the summary and click Confirm & Create to create an instance. 

7. Once you confirm the changes, the app will be installed for that security profile and app 
instance will be created. 
Run the following command to check the app ID for the instance: 
/opt/qradar/support/recon ps 

8. Goto Admin tab and click Deploy Changes. 


om 
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Managing Instances 


After creating multiple instances, it will be listed as shown below with the total memory 
consumed and the memory for each instance. 


IBM QRadar € a Q 
Dashboard Offenses Log Activity Network Activity Assets Reports Risks Vulnerabilities Admin Pulse Use Case Manager Qualys VM System Time: 5:09 AM 
Q earc E oo = 
Installed Extensions oo fe < 
Filter By 
Name Stat Version Number of Total Installe Install Ontlons 
D us Instances Memory d By Date b 
Status 
j 1.. Qualys VM for QRadar... Ru... 1.0.0 2 400 MB admin Apr 20, ... 
Failed to Install 
Creati 
Error / Stopped Instance Name SEL SEU Domains Tenants Memo crente on Options 
us y Profile ry d By 
Date 
Running 
Qualys VM for QRadar ... Ru... Admin D-K, D-K... T-K, T-L,... 200 MB admin Apr 2... 
Qualys VM for QRadar ... Ru... LS-K D-K T-K 200 MB admin Apr 2... 
@ what is an instance? e Why would I want to create multiple @ How do I create an instance ? 
instances ? 
Memory Allowance 
GEEESESINEGNUGEGUEUEH 
67.296 used - 2.1 GB / 3.1 GB 
L 


To configure the Qualys VM App Settings from QRadar Assistant for the created instances, follow 
the steps mentioned below: 


1. Click on the ellipsis icon ( ** ) in the Options column for the instance and then click 
Configure Instance » Qualys VM App Settings option. 

2. Do various configurations on the Configuration Page. For more information, see Qualys 
VM App Settings. 


For more information related to other options, refer Managing instances. 


Configuring Instance 


For multi-tenant instance, once you complete above configurations, you need to proceed with 
Qualys API Configurations. 
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How Qualys App works? 


What happens after configuration? 


Once you configure and enable Host Detection input, the application bundled with this extension 
will start fetching your VM detection data. By default, it will pull detection data for 10 hosts ata 
time. This value is set to such a small number to make sure the app can process your data 
without hitting the memory limit governed by QRadar. For first run, it might take some time 
depending on your scan volume. After that, subsequent pulls are incremental ones - fetching 
only new/changed data. 


How does data get into QRadar? 


Whenever cron runs any job (based on the cron schedule you defined), it makes outbound API 
call to Qualys, transforms the XML response it receives into LEEF format and sends it to the 
QRadar over socket using TCP port configured in “QualysMultiline” Log Source. Using DSM editor 
and “QualysLEEF” Log Source Type provided with this extension, QRadar then puts this data into 
the “events” table in Ariel database. 


Using the Qualys app 


Summary 


When you click the Qualys VM tab in the top menu, you'll see a summary dashboard provided 
by the app. It renders the following reports: 


- Count of Active Hosts 
-  Detections by Severity 
-  Detections by Status 

-  Detections by Type 

- Top 10 Affected Hosts 
- Top 10 Vulnerabilities 


= IBM QRadar € AO o 


Dashboard ^ Offenses  LogAcüvty Network Activity sets leporis isi Vulnerabilities Admin e s System Time: 5:12 AM 


Knowledgebase Reports Search 


Start Date-Time 2021-04-15 17:01 End Date-Time | 2021-04-22 17:01 


Active Hosts »  Detections by Severity © Detections by Status ;. Detections by Type 


2807981 - 


^ New lll Active W Fixed Bl Re-Opened Wi Info il Confirmed W Potential 
Top 10 Affected Hosts 2 Top 10 Vulnerabilities 
Qualys Host Id Host IP Total Vulnerability J Vulnerability Affected Hosts + 
139667306 343 SSL/TLS Server supports TLSv1.0 [38628] 9052 
3177381 304 Birthday attacks against TLS ciphers with 64bit 8206 
block size vulnerability (Sweet32) [38657] 
2505491 148 
HTTP Security Header Not Detected [11827] 6534 
145410946 138 
SSL/TLS use of weak RC4(Arcfour) cipher 
102096930 60 [38601] 6107 
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By default, these reports are based on detection data in the last 20 days. To change this date- 
time range, use “Start Date-Time" and “End Date-Time" and click the Search button. When you 
click Search, all the reports are updated according to the new date-time range that you've 
defined. 


Knowledgebase 


The application has a default copy of knowledgebase bundled with it. This menu shows you 
some visualizations about current knowledgebase copy. If you enabled knowledgebase input, 
this copy will be kept up to date. It also shows knowledgebase in tabular format. 


IBM QRad: 


Total Vulnerabilities 


61630 


Vulnerabilities by Category Vulnerabilities by Type ‘Vulnerabilities by Patchability Vulnerabilities by Severity 
M Locali SUSE Ml Fedora ll OEL = CGI Debian IB Ubuntu I RedHat Wi Vulnerability ll Potential Vulnerability ® Information Gathered ll E Yes W No 182538485 
Amazon Linux® Windows Vulnerability or Potential Vulnerability 
Knowledgebase 
Show[10 v ] entries Search: 
QD Title Category Type Patchable Published On + Last Service Modification PCI CVEs 
SUSE Enterprise Linux Security 
174927 Update for xen (SUSE-SU- SUSE Vulnerability Yes 2021-0421T15:09:192 2021-04-21T15:09:192 Yes CVE-2021-27379 
2021:1250-1) 
SUSE Enterprise Linux Security 
174928 Update for xen (SUSE-SU- SUSE Vulnerability Yes 2021-04-21 15:09:192 2021-04-21T15:09:192 Yes CVE-2021-27379;CVE-2021-20257 


2021:1252-1) 
‘SUSE Enterprise Linux Security 
174929 Update for xen (SUSE-SU- SUSE Vulnerability Yes 2021-04-21115:09:192 2021-04-21115:09:192 Yes CVE-2021-27379;CVE-2021-20257 
2021:1251-1) 
Ubuntu Security Notification for 
198321 X Org X Server vulnerability Ubuntu Vulnerability Yes 2021-04-21715:09:192, 2021-04-21T15:09:192 No CVE-2021-3472 
(USN-4905-1) 
Ubuntu Security Notification for 
198324 Linux kerel vulnerabilities (USN- Ubuntu Vulnerability Yes 2021-04-21715:09:192 2021-04-21T15:09:192 Yes CVE-2021-3348;CVE-2021-3347,CVE-2018-13095 
4907-1) 


Ubuntu Security Notification for 


Reports 


You can view reports for vulnerabilities by hosts and hosts by vulnerabilities within specific date 
range. 


Note: Not all the data is pulled at once. Only 20 records of all the data is displayed. To get 
remaining data you can click the paginations option to view the remaining data. 


Vulns by Hosts 
= — IBMQRadar @€ a [e] 


Dashboard Offenses Log Activity Network Activity Assets Reports Risks Vulnerabilities Admin Pulse Use Case Manager Qualys VM System Time: 5:18 AM 


E 
Summary Knowledgebase Reports m" Search 


Vulns s 
Report for Vulns b= 
Hosts by Vulns 
Start Date-Time | 2021-04-15 17:17 End Date-Time | 2021-04-22 17:17 
Showing 0 to 0 of 0 entries First Previous Next Last 
Host ID IP Address Operating System Total Vulnerabilities 


Click on count of Total Vulnerabilities to view vulnerabilities on the host. 
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IBM QRadar 


Dashboard Offenses 


Log Activity Network Activity Reports Vulnerabilities Admin Use Case Manager 


Summary Knowledgebase Reports Search 


Report for Vulns by Hosts 


N 
Start Date-Time 2000-04-20 12:17 End Date-Time 2021-04-27 12:17 $ 

Showing 1 to 20 of 1,301 entries First Previous 1 2 3 4 5 ae 66 Next Last 

Host ID IP Address Operating System Total Vulnerabilities 

101166659 Windows 7 Ultimate 64 bit Edition Service Pack 1 810 


Windows Server 2008 R2 Enterprise 64 bit Edition Service 


109806509 Pack: 769 
113870509 Ubuntu Linux 16.04 619 
811299 Windows XP 64 bit Edition Service Pack 2 579 
1080301 Windows XP 64 bit Edition Service Pack 2 560 
968847 Windows 2003 R2 Service Pack 2 556 
9532546 Windows XP 64 bit Edition Service Pack 2 553 


15286517 
Vulns appear in table format. 


Windows 2003 Service Pack 2 550 


Showing Vulnerablilities on 71226535 


Showing 1 to 20 of 535 entries 


First Previous | 1 | 2 3 4 5 27 Next Last 


tecti 
QID Title Severity Category si a on Patchable Status 


Apache HTTP Server HttpOnly 
Cookie Information Disclosure Web server Confirmed Yes 
Vulnerability 


Apache Web Server ETag Header 


Web server Confirmed No 
Information Disclosure Weakness 


Web Server HTTP Trace/Track 
4 


Showing 1 to 20 of 535 entries 


First Previous | 1 | 2 3 4 5 Next Last 


Hosts by Vulns 
IBM QRadar @ a 


Dashboard Offer Log Activity Network Activity Risks Admin Pulse Jse Case Manager Qualys VM System Time: 


Summary Knowledgebase Reports Search 


Report for Hosts b 


H ns 

Start Date-Time 2021-04-15 17:20 cy End Date-Time 2021-04-22 17:20 
Showing 0 to 0 of 0 entries First Previous Next Last 
QID QID Title Severity Category Detection Type Patchable Total Hosts 


Click on count of Total Hosts to view affected hosts on QID. 
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IBM QRadar 


Dashboard Offenses Log Activity 


Summary Knowledgebase 


Report for Hosts by Vulns 


Start Date-Time 2016-04-01 12:19 End Date-Time 


Showing 1 to 20 of 7,927 entries 


QID — QID Title 


Vulnerabilities Admin 


2021-04-27 12:19 


se Case Manager Qualys VM 


First Previous 1 


Severity Category 


397 


Detection Type Patchable 


Next Last 
Total Hosts 


38739 Deprecated SSH Cryptographic Settings 


38623 OpenSSH Xauth Command Injection Vulnerability 


42413 OpenSSH LoginGraceTime Denial of Service Vulnerability 


General 
remote 
services 


General 
remote 
services 


General 


remote 
services 


Confirmed No 


Potential 


Potential 


372 


Hosts appears in table format. 


Showing Affected Host for 27000 


Showing 1 to 20 of 7,344 entries 


Host ID 


IP Address 


First Previous 1 | 2 3 4 5 368 Next Last 


Operating System 


Status 


93751696 
93744170 
75895479 
60188030 
60188019 


Debian Linux 7.1 

Windows NT4 

HP BladeSystem 

Windows 2000 Service Pack 3-4 

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP 


New 

Active 
Active 
Active 


New 


55690307 Windows NT4 New 


Showing 1 to 20 of 7,344 entries 


First Previous 1 2 3 - 5 368 Next Last 
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Search 


You can search for vulnerabilities in Search tab by QID or CVE or by IP address. 


Note: Not all the data is pulled at once. Only 20 records of all the data is displayed. To get 
remaining data you can click the paginations option to view the remaining data. 


Search by IP Address: 


= IBM QRadar | ENSEM! 


Dashboard Offenses Log Activity Network Activity Assets Reports Risks Vulnerabilities Admin Pulse Use Case Manager Qualys VM ‘System Time: 5:23 AM 
~| 


Summary Knowledgebase Reports 


Search for Vulnerabilities DW" 


by QID or CVE 


Start Date-Time 2021-04-15 17:23 IP Address(s) 
Showing 0 to 0 of 0 entries First Previous Next Last 
Host ID IP Address Operating System Confirmed Vulnerabilities 


Click on the count of Confirm Vulnerabilities to view vulnerabilities on the host. 


IBM QRadar 


Search for Vulnerabilities by IP address 


Start Date-Time 2021-04-20 12:21 IP Address(s) ES 


Showing 1 to 1 of 1 entries First Previous 1 Next Last 
Host ID IP Address Operating System Confirmed Vulnerabilities 

97979304 Amazon Linux 1 

Showing 1 to 1 of 1 entries First Previous 1 Next Last 


Vulns appear in table format. 
Showing Vulnerablilities on 13126852 


Showing 1 to 20 of 336 entries 


] 
First Previous | 1 | 2 . 17 Next Last 


QID — QID Title CVE Severity Category Il Patchable Status 


Microsoft Windows 


Elevation of 
VE- - 
91709 Privilege CEA Windows Confirmed Active 
Vulnerability - Zero 


Day 


CVE-2020- 
17140;CVE- 
———————————————2020- 0055 m 


Showing 1 to 20 of 336 entries 


First Previous | 1 | 2 


Qualys VM for QRadar - QRadar 7.3.3 FP6+/7.4.1 FP2+/7.4.2 GA+ 23 


Search by QID or CVE: 


= IBM QRadar € a [e] 


Dashboard Offenses Log Activity Network Activity Assets Reports Risks Vulnerabilities Admin Pulse Use Case Manager Qualys VM System Time: 5:25 AM 


Summary Knowledgebase Reports Search 


Search for Vulnerabilities EE 


by QID or CVE 


Start Date-Time 2021-04-15 17:25 € QD OC E 
Showing 0 to 0 of 0 entries First Previous Next Last 
QID — QID Title CVE Severity Category Detection Type Patchable Total Hosts 


Click on the count of Total Hosts to view affected hosts for the QID or CVE. 


= IBM QRadar | Q~ Q 


Dashboard Offenses Log Activity Network Activity Assets Reports Risks Vulnerabilities Admin Pulse Use Case Manager Qualys VM System Time: 11:56 AM 


Summary Knowledgebase Reports 


| Search for Vulnerabilities by QID or CVE 
Start Date-Time ^ 2021-04-20 12:20 @QID OCVE 38739 E 

Showing 1 to 1 of 1 entries First Previous 1 Next Last 

QID QID Title CVE Severity Category Detection Type Patchable Total Hosts 
General 

38739 Deprecated SSH Cryptographic Settings 2 remote Confirmed No 363 
services 

Showing 1 to 1 of 1 entries First Previous 1 Next Last 


Vulns appear in table format. 


Showing Affected Host for 91709 


Showing 1 to 3 of 3 entries First Previous | 1 Next 


Host ID IP Address Operating System Status 


Windows Server 2012 R2 Standard 64 
13126854 vito Active 
bit Edition 


13126853 esta 10 Pro 64 bit Edition Version Active 


13126852 ndo: Server 2012 R2 Standard 64 Adro 
bit Edition 


Showing 1 to 3 of 3 entries First Previous Next 


Raw Data 


There may be times when you want to see the raw data. Follow these steps: 
1) Go to Log Activity tab and go to Advance Search field. 


2) In the Advance Search field, post the sample AQL below. (Tip - For more AQLs please check 
the Troubleshooting section in this guide.) 

SELECT "Qualys Host Id", "Operating System", "Last Scan Datetime", "Tracking 
Method", "Qualys QID", "Qualys Severity", "Detection Type", "Status" from 
events where devicetype = '4001' 


3) Select the date range for which you want to see the data. 
4) Click Search. 


Depending on the results, you may want to change the date-time range to widen/shorten your 
search span. You can also execute your own AQL queries to find more appropriate data. Please 
refer to fields in “Qualys LEEF” log source to know the Qualys fields. 
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Input Logs 


While running, host detection input sends its log to QRadar over syslog. To see them, you can 
use the following AQL in Log Activity > Advance Search. Follow the same steps mentioned 
above with below AQL. 


Host Detection 


SELECT UTF8(payload) as utf8_payload from events where utf8_payload ILIKE 
'%Qualys:HostDetection%' ORDER BY utf8_payload ASC 


Knowledgebase 


SELECT UTF8(payload) as utf8_payload from events where utf8_payload ILIKE 
'%Qualys:Knowledgebase%' ORDER BY utf8 payload ASC 
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Uninstalling the app 
1) Uninstall the app from Admin > Extensions Management. 


2) Delete saved searches for this app (in case of Qualys App version 1.0.1 or lower): 
a. Go to Log Activity > Search > New Search. 
b. In Available Saved Searches, find saved searches starting with “Qualys” and delete it. 


3) Delete custom events for this app: 
a. Goto Admin > Custom Event Properties. 
b. Search and delete all entries associated with Qualys LEEF log source type. (How to do? 
Just search “qualys” and delete all the entries that displayed in search results). 


4) Delete Log Source extension: 
a. Goto Admin > Log Source Extensions. 
b. Delete entries with extension “QualysLEEFCustom_ext”. 


5) Delete Log Source: 
a. Go to Admin > Log Sources. 
b. Delete log source named “Qualys” or "QualysMultiline". 


6) Delete custom event mapping from Qualys LEEF: 
a. Goto Admin > DSM Editor. 
b. Search and open Qualys LEEF and go to Event Mappings tab. 
c. Delete the entry with Event ID / Category “Qualys” or "QualysMultiline". 
d. Click Save button and close the tab. 


While uninstalling the app in unfortunate cases, it should be done cleanly. Any leftover artifacts 
can potentially interfere with next installation attempt creating unstable state. 

When app gets installed following components will get installed in ORadar, so to uninstall 
completely following components also need to be removed. 
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Troubleshooting 


If you see no data 


If the application isn't bringing in your VM detection data, please go through the list below: 


1) Check the data whether data indexing is happening properly with the help of AQL. 
2) Check the app configuration. 
- Check host detection ETL is enabled in Qualys VM App Settings. 
- Check cron jobs scheduled properly. For more information about cron jobs 
scheduling, refer https://crontab.guru/. 
- Make sure you have the correct API and access permissions. 
- Make sure your credentials are correct. 
- Ifyou set start date-time, make sure it complies with Qualys required format. 
- Ifyou added extra API parameters, make sure the JSON is valid and that all the 
extra parameters listed are valid. 
3) Make sure you have done Deploy Full Configurations and your TCP port in listening. 
4) Make sure QRadar has Internet access and is able to reach your Qualys API server. 
5) Check your host detection ETL is running: 
Login to Qualys App container and run below commands : 
ps aux | grep python 


1,9 


[al fol (0) 


If your host detection job is not running 


To run the host detection ETL, run the following command: 
python /opt/app-root/app/etl host detection -d 
Once you run above command, make sure you can see screen like 


python /opt/app-root/app/etl host detection.py -d 
:04:45Z PID-7159 Qualys:HostDetection etl host detection DEBUG: Debugging !! 
3 PID=7159 Qualys:HostDetection etl host detection : Will be sending LEEF data to over socket. 
PID-7159 Qualys:HostDetection etl host detection : Qualys app version : 1.0.0 
PID=7159 Qualys:HostDetection etl_host_detection : Console IP: 
PID=7159 Qualys:HostDetection utils : /opt/app-root/app/host detection.pid had pid 7155, but there is no process running with th 


w pid file. 
PID=7159 Qualys:HostDetection utils : START: vm_detections xml clean-up. 
PID=7159 Qualys:HostDetection utils : vm_detections does not have any old xml files to clean. 
PID=7159 Qualys:HostDetection etl host detection : Using Log Source Identifier and Listen PORT for the Log Source Id: 162 
PID-7159 Qualys:HostDetection etl host detection : Log Source Identifier: QualysMultiline 
PID-7159 Qualys:HostDetection etl host detection : Opened socket connection to DSM Port:12468 


If you get "[Errno 111] Connection refused" error 


Following error messages will be displayed for different cases: 


Case 1 


ERROR: Socket connection on port 12468 configured for 'QualysMultiline' log 
source is refused, 'Deploy Full Configuration'. Error while connecting to 
Socket: [Errno 111] Connection refused 


This error occurs when the Listen port is not LISTENING. You need to do the Deploy Full 
Configuration on QRadar box to resolve this issue. 


Case 2 
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Making Request - https://qualysapi.qualys.com/msp/about.php with PARAM: {} 
2020-01-16T10:19:58Z2 PID-421 Qualys:HostDetection client ERROR: Error during 
request to https://qualysapi.qualys.com/msp/about.php:«urlopen error [Errno 
111] Connection refused» 

This error occurs if the proxy settings are not configured on Qualys VM App Settings page. You 
need to configure proxy setup in Qualys VM App Settings. 


If you see “HTTP Error 401: Unauthorized" error 


This error occurs if you provide invalid credentials. To resolve this issue, check the API server 
URL and credentials. 


If you see the ‘Number of host detections logged = O' in host detection 


This can be due to following reasons: 

e No scan was performed on the POD in the given period of time. 

e No vulnerabilities are detected for the scan. 

e Ifthe API parameters are incorrect. 
For Example, the 'vm processed, after': 1999-01-01 00:00' is wrong in following API 
Request. 
https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/ with 
PARAM: ['truncation limit': 10, 'show results': 0, 'show igs': 1, 
'output format': 'XML', 'show tags': 0, 'action': 'list', 
'vm processed after': '1999-01-01 00:00'} 


If you see “corresponding record not found in KB" message 
The following message may appear in Host Detection logs: 


A record for QID QID-Number found on Host $s, but its corresponding record 
not found in KB. May be KB is not updated. 


This means you have some detections of given QID, but since your knowledgebase is not up to 
date, the app could not enrich the event data with QID details (like title, category, CVEs, 
patchable etc.). Maybe you have not enabled the Knowledgebase input in Qualys VM App 
Settings. Enable it and schedule it to run at least once a week. 


If you see “Internal Server Error" while saving settings 


1) This error occurs if Log Source ‘QualysMultiline’ is not configured. You need to complete Log 
Source configurations. 


2) This error occurs if 'Deploy Full Configuration' is not done before configuring Qualys App for 
QRadar. 


3) Log source TCP port is not listening. To check, run the following command on QRadar box. 


netstat -tulpn | grep LISTEN 


To enable TCP listen port, you need to Deploy Full Configurations. Even after the Deploy Full 
Configuration, please contact IBM Support. 
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4) There might be some issue with cron service. Please follow the steps given below to identify 
the issue. 

- Go to QRadar terminal and connect to Qualys app’s container. Check if cron service is up and 
running, if itis not running, start it. 


- If you do not find cron service, that means QRadar did not install cron while installing Qualys 
app. You will have to manually install the cron service and start it. You can confirm the issue 
from /opt/app-root/store/log/startup.log file as well. It should indicate that cron installation 
failed. 


If dashboard widgets are not showing data for multi-tenant environment 


When the dashboard widgets are not loading or showing no data even if the data fetch is 
completed - 

e Check whether the "Event ID", "Event Category", and "Event Mapping" is created for the 

desired log source as suggested. 

e If more multiple log sources are created and the "Event ID", "Event Category" and "Event 
Mapping" are created, make sure all of them are created in same specific order. Suppose, 
if the user has 3 log sources - "QualysMultiline" (default), "QualysTokyo" and 
"QualysBerlin", then while creating the event id and event category, order should be 
similar in both. 

If the order of creating "Event ID" and "Event Category" with respect to the desired log 
sources mismatches, then the order in "QualysLEEFCustom ext" may get affected and 
hence events parsing may get failed. Also, the events may get addressed as "Unknown" 
and not sent to the selected log source. 


DSM editor doesn't show Tags or DNS properties and you can't add them 


After installation of Qualys App, if DSM editor does not show TAGS and DNS properties, you can 
try adding them manually. If you are unable to add them manually, please follow these steps: 


1) Check if "QualysMultiline" Log Source has correct Log Source Type. If it is not correct, 
delete the log source. 

2) From DSM editor, delete the "Qualys LEEF" entry and create a new one. Add appropriate 
event mappings as mentioned in the Check Log Source Event Mapping section of this 
document. 

Create a new Log Source using newly created "Qualys LEEF" as Log Source Type. 
Complete Deploy Full Configurations step. 

Go through the Check Custom Event Properties section of this document to make sure 
event mappings are all correct. 


U1 d» WwW 


If you need to delete and recreate Log Source Type “Qualys LEEF” 


Add the following custom event properties to newly created Log Source Type. For each property 
in the table below, Type should be “Regex”. 


Property Name Log Source Log Event Name Expression 
Type Source 
App Version Qualys LEEF All QualysMultiline Information  app_version=([^\t]+) 
CVE Qualys LEEF All QualysMultiline Information  cves=([^\t]+) 
DNS Qualys LEEF All QualysMultiline Information  dns=([^\t]+) 
Detection Type Qualys LEEF All QualysMultiline Information  detection_type=([^\t]+) 
First Found Datetime Qualys LEEF All QualysMultiline Information  first_found_datetime=([^\t]+) 
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Property Name Log Source Log Event Name Expression 


Type Source 

. Host IP Qualys LEEF | Al  . QualysMultülineInformation | ip-(^W]4) 
Last Fixed Datetime Qualys LEEF <A QualysMultiline Information  last_fixed_datetime=([/\t]+) 
Last Found Datetime Qualys LEEF <A QualysMultiline Information  last_found_datetime=([/\t]+) 
Last Scan Datetime Qualys LEEF A QualysMultiline Information last_scan_datetime=([/\t]+) 
App ID Qualys LEEF A QualysMultiline Information  app_id=([*\t]+) 
Last Test Datetime Qualys LEEF A QualysMultiline Information  last_test_datetime=([/\t]+) 
Last Update Datetime Qualys LEEF A QualysMultiline Information  last_update_datetime=([/\t]+) 
Network ID Qualys LEEF <A QualysMultiline Information network_id=([*\t]+) 
Operating System Qualys LEEF A QualysMultiline Information | os=([/\t]+) 
PCI Flag Qualys LEEF A QualysMultiline Information | pci_flag=([/\t]+) 
Patchable Qualys LEEF A QualysMultiline Information patchable=([/\t]+) 
QID Category Qualys LEEF A QualysMultiline Information category=([/\t]+) 
QID Title Qualys LEEF A QualysMultiline Information | title=([/\t]+) 
Qualys Host Id Qualys LEEF A QualysMultiline Information  host_id=([/\t]+) 
Qualys QID Qualys LEEF A QualysMultiline Information  qid=([*\t]+) 
Qualys Severity Qualys LEEF A QualysMultiline Information | severity=([/\t]+) 
Severity Level Qualys LEEF A QualysMultiline Information | severity_level=([/\t]+) 
Status Qualys LEEF A QualysMultiline Information | status=([*\t]+) 
Tags Qualys LEEF A QualysMultiline Information  tags=([*\t]+) 
Tracking Method Qualys LEEF A QualysMultiline Information  tracking_method=([/\t]+) 


wo 
e 
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Helpful AQLs to check VM Detection Logs and Events 


Use the following AQLs to check VM detection data and perform troubleshooting. 


To check the logs 


You can download app logs from Qualys App container. Go to Advanced tab and click Download 
button next to Download Application Logs. You can also see ETL logs in ETL folder from the 
downloaded zip file. 


Get the PID (process id) of either etl host detection or etl knowledgebase using the below 
command inside the container: 

cat /opt/app-root/app/host detection.pid 

cat /opt/app-root/app/etl knowledgebase.pid 


On the Log Activity search following queries under Advance Search. It will show you the log for 
the particular PID (replace the «PID» with the appropriate process id): 


IK! 


zal 


¢ 


SELECT UTF8 (payload) as utf8 payload from events where 


F tf8 payload I 
'SPID-«PID»$' ORDER BY utf8 payload ASC 


SELECT UTF8 (payload) as utf8 payload from events where utf8 payload ILIKE 
'$Qualys:HostDetection$' ORDER BY utf8 payload ASC 


ELECT UTF8 (payload) as utf8 payload from events where utf8 payload ILIKE 
'SQualys:Knowledgebase$' ORDER BY utf8 payload ASC 


[I] 


ELECT UTF8 (payload) as utf8 payload from events where 
'Sdetections =%' ORDER BY utf8 payload ASC 


¢ 


tf8 payload ILIK 


SELECT UTF8 (payload) as utf8 payload from events where 
LOGSOURCENAME (logsourceid) = 'Qualys' OR LOGSOURCENAME (logsourceid) 
'QualysMultiline' 


To check the event data payload 


SELECT LOGSOURCENAME (logsourceid) as logsourceids, UTF8(payload) as 
utf8 payload from events where LOGSOURCENAME (logsourceid) = 'Qualys' OR 
LOGSOURCENAME (logsourceid) = 'QualysMultiline' 


SELECT "Qualys Host Id", "Operating System", "Last Scan Datetime", "Tracking 
Method", "Qualys QID", "Qualys Severity", "Detection Type", "Status" from 
events where LOGSOURCENAME (logsourceid) = 'Qualys' OR 

LOGSOURCENAME (logsourceid) = 'QualysMultiline' 


Note: User must enter the custom log source name in the where clause, that they have 
configured for data ingestion. 
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Qualys Support 

If you tried the troubleshooting steps but still need help, please contact Qualys Support at 
https://www.qualys.com/support/ 

Provide the following information to Qualys Support: 


- Qualys App version number 

-  QRadar version number, including the patch number 

- Steps to reproduce the issue 

- Note any manual changes done to Qualys app’s code 

- Note any manual changes done to Qualys app’s container 

- Please download the logs from Admin > Qualys VM App Settings page and attach 
them to your support case. 


What’s New 


Improvements in 2.0.1 
e QRadar API Version Upgrade 
o We have updated the QRadar API version to 12, in the app with respect to the 


minimum supported QRadar version 7.3.3. 


e Some minor bug fixes and enhancements. 
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